Sunday 18 March 2012

[EN] "How to stop Wordpress user enumeration"


After I published few vulnerabilities called "user enumeration" (for latest Wordpress for example),
I saw many words in 'statistic' of this blog like:
"how to stop wordpress user enumeration".

Nice idea to talk:)

In my opinion, the simplest way to stop user enumeration is create file (or rule)
when if You add "good input" the output said "ok". But if You add "wrong input" answer should be
404 defined by You. ("404.php" could be vulnerable to if it's presenting us some $params-values in output of 404)

So if user send wrong-input, reaction of application should be the same as it is for non-existing content.
For example: "You asked wrong".

Simple. :)


If You want more ideas, let me do it for You ;)


No comments:

Post a Comment

What do You think...?